Monday, January 15

Passed the GIAC GSEC

I passed both of my exams for the GIAC GSEC! I am now GSEC number 7131. Passing both exams qualifies a candidate for the GSEC Silver certification.

After passing the exams, there is an option to "Go Gold" where you complete a written practical on a selected security topic. Over the next several weeks, I will select a topic and proceed with the Gold Certification.

Despite the cost of the training, the entire experience was very well worth it. The content of the training material was top notch, the instruction was great, and the trip to Chicago was an event in itself.

Around three months ago, I accepted a new position with my currently employer on our network security team. Going for the cert (I had not passed the exams at that point in time) and knowing I paid out of pocket, showed the interviewers I was truly interested and committed to the field of information security. In this instance, certification mattered.

For those that can attend, I highly recommend the training.

See my scores here.
Search for others with the GSEC here.

Sunday, January 14

ophcrack LiveCD - a nerd story

Password cracking is nothing new. Ophcrack and Ophcrack LiveCD have been all over Digg, Lifehacker, and the rest of the net.

I read a couple of posts on Digg about the tool, but never had reason to test the tool. Working in NetSec, there are always new and exciting things that appear on our radar. In short, we had some vendor supplied (and supported) servers and they either lost or misplaced the local admin password.

I made a quick visit to the ophcrack page for the ISO and also downloaded the Windows Server Resource Kit tools for cdburn.exe to burn the iso.

The admin password was cracked in about 10 minutes. The entire list of 10 accounts (including IUSR and IWAM) were cracked in maybe 25 minutes -- I wasn't keeping an exact count.

Two things:
  1. The tool just worked. It boots up and goes. No real work involved.
  2. This is a great way to audit local password strength. We learned the vendor-selected passwords were pretty weak.
I had a small assignment in one of my classes at Capitol College using John the Ripper. It worked well, but it was not the most expedient process.

Rainbow tables obviously speed things up. Thanks ophcrack.

This tool is obviously not hard to use. Might it change the way you manage (or think about managing) your workstations? Privilege escalation anyone? Do you know who might be on your outsourced overnight cleaning staff?

Good thing people don't store files locally on their workstations ... I mean, uh.
Here comes full drive encryption.

Saturday, January 13

Firm: Seven steps for a more secure network

Combine New Years resolutions and this SC magazine article and what do you get? Questionable advice.

The article starts out great.
IT security professionals should rely on personal vigilance and implemented methodologies - not just the slew of new products hitting the marketplace - to protect their networks in 2007.
Sounds good. Yes to vigilance and yes to method. Just buying things is bad. Nice work.

Now for the fun.
1. Change every password before the year's end. By taking this first step, you will enhance the security of every online commerce site visited, every computer, and every other password-protected device or website in use. Avoid easily discovered passwords, such as names or numeric series. Change your passwords at least quarterly in 2007.
Sound advice, except he didn't mention anything about pass phrases.
2. Download patches and updates. Even some off-the-shelf computer security programs offer downloadable updates or "patches" capable of detecting the newest viruses and closing "backdoors" that hackers have discovered. Operating systems should be patched and upgraded at year-end, and regularly as well.
Nice work. Patch your systems. Someone send this guy a check.
3. Hire a hacker. The holiday lull is the perfect time to conduct a "penetration test" to pinpoint weaknesses in a network's security. These tests emulate a hacker's invasion of a network; but rather than attacking databases and network tools, these scans identify specific vulnerabilities and propose solutions.
Hire a hacker? Not even going to touch the hacker versus cracker definition. A pen test over the holidays is not a bad idea, however it would depend on what type of test you are running. Blackbox, Whitebox, or something in between? At times you want ops around to assist and they can't do that while eating honey ham seven states away.
4. Conduct regular e-security check-ups. Automated, monthly remote risk assessments can be conducted for less cost than a single onsite review. These tests assure that confidential data is as secure as possible from external attack. In a hacker prone era rife with data theft, high levels of spam, and increasingly innovative computer fraud, waiting a full year between assessments is no longer a viable option.
What the hell is this guy talking about here? Isn't that our goal to protect data --- each day? And what exactly does he mean by "Automated, monthly remote risk assessments"? "Make sure things are good" would have been just as powerful. Sigh. I assume he is talking about using a service such as Qualys to scan and report on your external facing. These results can then be compared against preexisting baselines or standards to evaluate compliance and document change.

While I agree with looking at your risks from the outside in, what about from the other direction? What is being sent outbound? How about monitoring / measuring that?!? Aren't these guys an email security company?
5. Communicate your data security policy. All personnel should be briefed on the importance of protecting confidential customer data. Disseminate a policy on how and when, if ever, this data should be included in unsecured email correspondence with customers and others. Implementation of an encrypted email system would be a major security step forward.
Yes. Finally something I can agree with. I would also like to add that one should begin looking at mail filtering outbound. It helps to know how your customer service reps, execs, and IT professionals are sending their electronic communications (primarily for the unencrypted mail).
6. Keep your network virus-free. A thorough evaluation of your network is essential to protect entry points (such as email attachments, shared files, infected websites, downloads), and to minimize infection. Simply installing anti-virus (AV)software is not enough. The AV system still needs to be monitored to make sure the most recent definition files are updated on all devices and you are alerted when a device is not "up-to-date." Look to providers which offer a full suite of AV services that can keep current with fresh outbreaks.
10-4 good buddy. Also think of reporting. Metrics mean money! Remember that. When you need head count, funding, or a promotion --- you must have metrics. Also remember that one vendor for all the environment isn't always the answer. What is best for clients is not necessarily what is best for servers. Moreover, AV vendors differ greatly from platform to platform.
7. Consider "giving up" on do-it-yourself security. The New Year is a good time to consider outsourcing network security to a company dedicated to keeping up with the latest demands of computer network security.
Depending on the size and nature of the company, I agree. Small shops should think about getting some help. If noting else, a plan for security with periodic checkups. Larger shops need IT Security professionals (even if just a few) to check up on the outsourced work.